Meta

Category: Yahoo

Several months after Yahoo warned users of a third data breach that occurred between 2015 and 2016, U.S. District Judge Lucy Koh in San Jose, California has said that breach victims now have the right to sue the company, allowing them to pursue breach of contract and unfair competition claims (via Reuters). Previously, Yahoo argued that these individuals lacked grounds to sue the company, but Koh has now rejected that claim.

This leaves "well over 1 billion users" open to sue the company, all of whom were affected by one of three total data breaches that began to gain notoriety in September 2016, when the company disclosed that "at least" 500 million Yahoo accounts were compromised in a late 2014 cyber attack. A second attack was disclosed in December 2016, regarding a user information leak that happened in August 2013, and then the third and presumably last warning about a previous attack came in February 2017.

This outlined a period of data breaches that began in 2013 and lasted until 2016, with Yahoo waiting more than three years to reveal information about any of the attacks. Breached info related to names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers.

Because each affected user now faces the risk of identity theft, Koh ruled in a 93-page decision that plaintiffs can now amend previously dismissed complaints to gain new legal ground against Yahoo.

“All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,” the judge wrote. Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data. Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge said.

“We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out,” John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said in an interview. “It’s the biggest data breach in the history of the world.”

Yahoo's disclosure of the security breaches came in the midst of its acquisition by Verizon, and ended up affecting the carrier's offer. After an initial offer of $4.83 billion, Verizon ended up purchasing Yahoo's core business assets for $4.48 billion in order to limit potential liability. The deal closed this past summer and at the same time, Verizon announced plans to lay off about 2,100 Yahoo employees.

Yahoo has issued a new warning to account holders about malicious hacks linked to a third data breach that the company disclosed late last year.

The warning relates to more recent malicious activity targeting accounts between 2015 and 2016, most likely perpetrated by a "state actor," according to Yahoo. Specifically, the hacks were achieved by using form of "forged" cookies – text-based keys that give web users access to username and password information without having to re-enter it – created by software stolen from within Yahoo's internal systems.

A warning message was sent to affected Yahoo users on Wednesday, warning them of the unauthorized access to their account, but Yahoo did not reveal how many people were notified.

"Outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson told Associated Press. "The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders."

Yahoo's announcement came just hours after reports that Verizon was close to a renegotiated deal to buy Yahoo's core assets at a lower price. Last year, Verizon agreed to buy Yahoo’s core business for $4.83 billion, but on Wednesday Bloomberg News reported that the renegotiated deal would knock about $250 million off that price because of the security breaches that were revealed after the initial deal was agreed.

Back in September, Yahoo revealed that hackers had stolen the personal data of "at least" 500 million users, but by December, the internet company admitted that over one billion Yahoo user accounts had been compromised in a separate hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.

The internet company is currently under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner.

Yahoo is under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner, according to The Wall Street Journal.

In September 2016, the internet company revealed that an unidentified hacker had stolen the personal data of "at least" 500 million users. Then last month, the internet company admitted that over one billion Yahoo user accounts had been compromised in a hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.

According to today's report, the SEC is investigating why Yahoo waited years before disclosing the massive data breach, despite the fact that some staff had known about the incident since at least 2014. The SEC has requested documents from Yahoo relating to the hacks in order to decide whether the internet giant could have reported the breach to investors sooner.

Yahoo is currently negotiating a takeover bid by Verizon, who is reportedly seeking a $1 billion discount off an original $4.8 billion buyout agreement because of the hacking revelations. It's unclear what impact the SEC investigation will have on the deal, but Yahoo's share price had already fallen following the news.

Yahoo today announced that it believes more than one billion Yahoo user accounts were compromised in a hack by an unauthorized third party in August of 2013.

Information stolen from affected accounts includes names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers. Clear text passwords, bank account information, and credit/debit card information were not believed to be accessed in the attack.

According to Yahoo, the hack was discovered after law enforcement officials provided the company with what appeared to be Yahoo user data from an unknown source. Yahoo says it has not been able to identify the specific intrusion, but it is "likely" distinct from a late 2014 hack that compromised more than 500 million Yahoo user accounts.

Earlier this year, Yahoo confirmed that "at least" 500 million user accounts were accessed in September of 2014, and this marks a second attack during the same general timeframe.

Yahoo is notifying users who may have been affected by the attack, and says it has "taken steps" to secure their accounts by implementing mandatory password changes. Unencrypted security questions and answers have also been invalidated.

Along with the 2013 hack compromising 1 billion user accounts, Yahoo has also announced that an ongoing outside investigation suggests an unauthorized third party accessed proprietary code to forge cookies, a technique that may have been used by the hackers responsible for the September 2014 attack. Those account holders are also being notified.

The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

Yahoo suggests users "review all of their online accounts" to check for suspicious activity and change any passwords that might have been used for a Yahoo account and another online account. Yahoo also recommends implementing two-factor authentication and avoiding links from suspicious emails.

In 2016, the algorithms, networks and slabs of glass and metal that make up today’s digital tools had a direct impact on our lives in some very unexpected ways.

From Facebook’s fake news problem to the Galaxy Note7 literally exploding, that impact wasn’t always for the good, but there were also signs of hope thanks to the promise of virtual reality and driverless cars.

Here are the biggest tech stories of 2016:

1. The headphone jack

Image: Lili Sams/Mashable

Apple’s annual iPhone launch always hits the mobile world like a shiny glass meteor, but the new iPhone 7 had an aftershock that will be felt for years: the removal of the headphone jack. Read more…